BTI420 notes – Thu Mar 26 and Mon Mar 30

Hands-on with Assignment 2.

.

Security-related topics and notes

In the default configuration – if you make no other changes to the Microsoft-provided provided template, or to the professor-supplied project template – the Email property’s value can be used to uniquely identify an authenticated user.

How do we know that this is true? Continue reading the content below.

.

ApplicationUser class, and its IdentityUser base class

When stored (in the database-hosted data store), the primary key (which is unique by definition) of an IdentityUser is a string property named Id.

-- other code...
[Id]                   NVARCHAR (128) NOT NULL,
-- other code...
CONSTRAINT [PK_dbo.AspNetUsers] PRIMARY KEY CLUSTERED ([Id] ASC)

.

Its value is a GUID; for example “56ba57a6-8dbd-40f4-9866-fea52c7ebce9”.

From the MSDN reference document:

“A GUID is a 128-bit integer (16 bytes) that can be used across all computers and networks wherever a unique identifier is required. Such an identifier has a very low probability of being duplicated.”

How low is the probability? The Wikipedia article states that “only after generating 1 billion UUIDs every second for the next 100 years, the probability of creating just one duplicate would be about 50%.”

To a developer or user, a GUID is represented as 32 hex characters, shown in 5 groups which are separated by hyphens (dashes), as you see in the example above. The .NET Framework has a class that will generate a GUID, if you need one in your app.

.

Other user identifiers

The template-provided Register view and view model asks for:

  • Email

Then, the template-provided implementation of the Register method then sets the following two properties in the new ApplicationUser object to the same user-entered value:

  • UserName
  • Email

In the database-hosted data store, the definition of the UserName column in the AspNetUsers table is configured to be a unique index:

-- other code...
[UserName]             NVARCHAR (256) NOT NULL,
-- other code...
CREATE UNIQUE NONCLUSTERED INDEX [UserNameIndex]
    ON [dbo].[AspNetUsers]([UserName] ASC);

.

Therefore…

UserName is unique.

In addition, in the default configuration of ASP.NET Identity…

Email is unique.

How do we know this?

In the App_Start folder, there is an ApplicationUserManager class (in the IdentityConfig.cs source code file). Look at its Create() method, and look for:


RequireUniqueEmail = true;

This is explained more in this StackOverflow post. (If you need to, you can change this behaviour.)

.

ASP.NET Identity “ApplicationUser” object

The contents of an ApplicationUser object can be seen by adding a breakpoint to a ‘register’ or ‘login’ method, and examining the ‘user’ object.

The image below shows the contents of an ApplicationUser object, just after a successful login. Click to view the image full-size in its own tab/window:

debug-identity-user-object-contents

.

Controller “ClaimsIdentity” User object

In the previous class/session, you learned that after a successful login, a security principal object is attached to the context of the currently-executing request.

In a controller method, this security principal object is exposed as the User property. The object’s type is IPrincipal. If you cast it to ClaimsIdentity…

var identity = User.Identity as ClaimsIdentity;

.

…then you can examine its property values.

The following shows the contents of a ClaimsIdentity User object (while in a controller), based on the code in the “Security Intro” example in this course’s GitHub code repository. Click to view full-size in its own tab/window:

debug-user-object-contents

.

Mapping (matching) the properties between the two types

Where is the UserName property from the ApplicationUser class? In the Name property:

ApplicationUser object System.Security.Claims.ClaimsIdentity object
(ASP.NET Identity
application user object)
(security principal object,
on the request context thread)
UserName Name

.

This diagram also shows this mapping. Click to open it full-size in its own tab/window:

SecurityClasses

.

Summary

In the default configuration – if you make no other changes to the Microsoft-provided provided template, or to the professor-supplied project template – the Email property’s value can be used to uniquely identify an authenticated user.

.

FYI – authenticate with user name or email address

This developer shows how to login with user name or email address in this document.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

Advertisements
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: